At the end of 2018, the long-awaited update to the ISO 26262 standard was finalized and published. This new version expands the scope of the original 2011 publication to incorporate additional safety measurements and industry segments beyond the original passenger vehicle applications. With this expansion, many of our customers are coming to us with the same questions: Does this updated standard apply to my project and how do I incorporate it into my development process?
Although the ISO 26262 standard can seem complex and overwhelming, we can guide you in the right direction and help you to answer the important questions. With our team of Automotive Functional Safety Engineers (AFSEs), we will show you a path to production that incorporates the necessary safety standards that are required for today’s various industries. We will assist your company in clarifying whether the updated ISO 26262 standard applies to your project, conduct a risk assessment of your product and development cycle, provide you with ISO capable hardware, and teach you how to incorporate the required development processes necessary to achieve the safety standard.
What is ISO 26262?
ISO 26262 is an international standard for road vehicles that provides a framework for functional safety throughout the progression of electrical and electronic (E/E) systems development. While some requirements are product specific, others focus on the safety regulations throughout the development lifecycle. These standards demonstrate how companies should integrate functional safety into their development process, providing regulations and recommendations on how to achieve appropriate functional safety measures. To put it simply, this is a common standard that measures and verifies the safety of a system before it is put into service.
ISO 26262 uses a system of steps to provide companies with a way to manage the functional safety and regulate product development on the system, hardware, and software from conceptual development through decommissioning. The steps include administering an automotive risk-based approach to determine the risk classes of a system, called Automotive Safety Integrity Levels (ASILs). It also includes practices that validate and confirm that a vehicle sufficiently reaches an acceptable level of safety.
What Revisions were Made to the 2018 Version?
The 2018 revision to the ISO 26262 standard, titled “Road Vehicles – Functional Safety,” includes industry feedback and updates based on advances in technology since the standard was originally published. The standard was reconstructed to provide more detailed objectives and extensions to the overall vocabulary. Additions to the ISO standard include:
- Objective oriented confirmation measures
- Management of safety anomalies
- References to cyber-security
- Updated target values for hardware architecture metrics
- Evaluation of hardware elements
- Additional guidance on dependent failure analysis
- Guidance on fault tolerance, safety-related special characteristics, and software tools.
- Guidance for model-based development and software safety analysis
In addition, two completely new standards were added to the document: ISO 26262-11 for Semiconductors and ISO 2626-12 for Motorcycles.
The main addition that is concerning our customers is the revision that increases the scope of the standard beyond light-duty, automotive passenger applications to include trucks, buses, trailers, semitrailers, and motorcycles.
How and When Does ISO 26262 Apply to Your Project?
Firstly, let’s address when your system is not required to abide by the newly released ISO 26262 standard. Unique E/E systems in special vehicles are exempt from the standard, including:
- Systems designed for drivers with disabilities
- Systems and any components released for production prior to the publication date
- Systems and any components under development during the publication date
The standard is intended to be applied to safety-related E/E systems in production road vehicles, which are any vehicle used by or used among the general public. As stated above, this now incorporates trucks, buses, trailers, semitrailers, and motorcycles. In addition, if you are conducting alterations to an existing system that was released for production prior to the publication date, then it falls within the scope of the updated standard.
What Does an ASIL Requirement Mean and How is it Determined?
In order to understand what ASIL requirements are, we must first look at Hazard Analysis and Risk Assessments (HARA). HARAs are used to identify and classify hazardous events caused by malfunctioning behaviors within the system. Each hazard is assessed based on the relative effect the hazardous incident could have on the overall E/E system and is dependent on the probability of the hazard actually manifesting. The assessment also takes into account the severity of potential bodily injuries that could be attained by the driver or other passengers within the relative amount of time the vehicle is exposed to the hazard, as well as the probability of whether a typical driver could prevent injury from occurring. Once all the hazards are assessed, the HARA process creates safety goals to prevent or reduce each hazard, assigning each safety goal an Automotive Safety Integrity Level (ASIL).
ASILs are an automotive specific, risk-based approach that determine the risk classes and integrity levels of each safety goal. They also determine if the safety goals abide by the ISO safety standard. The determination of the ASIL is a function of three variables: exposure, severity, and controllability.
Exposure – how often does the operational situation occur?
Severity – how severe is the potential harm?
Controllability – are the occupants, or operator, able to take control to mitigate any potential injuries?
Since the ISO 26262 standard was originally published in 2011, industry experience and practice in this area has formalized into “SAE J2980 – Considerations for ISO 26262 ASIL Hazard Classification.” This document provides guidelines as to what each level means in a typical scenario. For example, controllability class C2 ‘Normally controllable’ would be true if 90% or more of all drivers are usually able to take control and avoid the specified harm. The guidelines can act as a rule-of-thumb in cases that require a judgement call.
Once these three items are established for each safety goal, the ASIL can be determined using the chart below.
While a “quality managed” (QM) rating signifies that the safety goal is not severe enough to require specific regulations through the standard, those that are will be given a rating of ASIL A through ASIL D depending on the severity.
The determined ASILs will be further refined into Functional Safety Requirements (FSRs), incorporating these same ASIL designations. At some point throughout the development process, the requirements will be allocated to units (e.g. ECUs) for implementation.
The Cost of ASIL Compliance
The cost and complexity of compliance may increase by as much as an order of magnitude with each step, ranging throughout ASIL A to ASIL D. While ASIL A may have small limited effects on the development process, it is assumed that safety goals with an ASIL D rating have significant cost and timing effects for a program.
For example, to plan, execute, verify, and document compliance, the following effort multipliers could be considered:
Functional System : 1
ASIL A : 1.5x – 3x
ASIL B : 2x – 4x
ASIL C : 5x – 8x
ASIL D : 10x+
These multipliers depend heavily on current process maturity, system design, and system requirements. Specific requirements and obligatory work items for software, hardware, and tools are provided within the safety standard.
How Can ASIL Decomposition Save Time and Money?
ISO 26262:9 describes ASIL-oriented and safety-oriented analyses. One of which is ASIL Decomposition, whereby ASIL safety levels and requirements are decomposed over redundant and sufficiently independent elements within your design. As higher ASILs typically require higher costs, decomposition can help to meet safety requirements with reduced cost and effort.
Decomposing the different ASIL levels typically follows a predefined pattern, often occurring over multiple ASIL levels since the ISO standard allows for multilevel decomposition. The figure below shows an example of the decomposition of an ASIL D using three different approaches.
Decomposition of the different ASIL ratings throughout the system can occur over different elements, working down through the system, subsystems, software, and hardware. ASIL decomposition is typically performed manually and must result in redundant safety requirements allocated to design elements of sufficient technical independence. Here at New Eagle, we have certified staff and experience with ASIL tailoring, such as ASIL Decomposition, which may be applied within your project to save cost and time.
Path to Production
Based on your ASIL allocations after decomposition, you need to select an ECU to be utilized in your design that will best meet the requirements defined by the ISO 26262 standard. For each ASIL, you will likely have a list of required diagnostic coverage mechanisms. In a typical safety design, for example, processors integrate a self-checking safety monitor. Additionally, intended hardware typically includes pre-established safety features, such as error correcting code (ECC) and a programmable watchdog timer, to help detect system failures and runtime faults. A modern central processing unit (CPU) will utilize a multicore architecture with a hardware lock-step safety mechanism, which can significantly reduce complexity while improving reliability and availability. These modern architectures include built-in self-test and optimization to prevent common cause failures.
Using an off-the-shelf component in a safety design requires that the component be capable of executing the necessary functions, compatible with your system design, and well documented. Typically, the component would be documented as a Safety Element out of Context (SEooC). It’s important to understand which subcomponents in the ECU can be defined as a safety-critical dependent for an application, as these elements may be used in your safety design. Diagnostic coverage mechanisms must be in place and able to detect dangerous failures within these components in order for them to be used in a safety function. These assumptions should be documented by the ECU vendor within a Safety Manual, and must be taken into account. They provide constraints on the applicability of an off-the-shelf part for any given design.
Here at New Eagle, we have several Raptor™ hardware design options available for production projects that require ISO 26262. These safety capable ECUs target ASIL B – ASIL D, and include a range of I/O and communication interfaces.
- GCM196 / ECM196 –This ASIL B capable hardware design is built on the standard automotive e-gas monitoring concept commonly used for powertrain control. Depending on the results of ASIL Decomposition, this is an excellent option for multiple safety goals with various ASIL ratings. This control module has three CAN buses, one LIN bus, and a large variety of I/O.
- C48 – This powerful general-purpose control module is perfect for applications that require advanced performance, timing systems, and functional safety capabilities. The CPU is a high-performance multi-core architecture that can support the highest level of functional safety (ASIL-D).
- GCM121 – This ASIL C capable, general-purpose control module is perfect for applications that require advanced performance, timing systems, and functional safety capabilities. It has a broad communication capacity with its four CAN buses, two LIN buses, and one Ethernet bus.
- C112 – This powerful general-purpose control module is perfect for applications that require advanced performance and heavy communication requirements due to its four CAN buses, two LIN buses, and Ethernet capabilities. The CPU is a high-performance multi-core architecture that can support the highest level of functional safety (ASIL-D).
These examples illustrate a range of design options, which can be matched with your system requirements to create a solution compatible with your needs. All ISO 26262 production projects require safety planning and implementation assistance from our Functional Safety Certified staff. Please contact our sales team to discuss our available options.
Important Saftey Standard Considerations
It is important to consider ISO 26262 safety standards when developing electronic systems, especially since this standard now incorporates a variety of road vehicle applications. Failing to do so and potentially overlooking possible vehicle malfunctions during the development process could result in liability issues for the manufacturer down the road.
For those companies that are unfamiliar with ISO 26262, seeking consultation from our AFSEs will help you to incorporate the safety standard into your development. Our engineering expertise and line of rugged, ISO 26262 capable hardware design options will help you build an efficient path to production.
April has arrived, bringing New Eagle into 2019’s second quarter. With it, comes more robust ways to take control of your machine while managing development timelines and cost.
If you’re planning to start an EV/HEV solution, learn about our
- New and featured EV/HEV products
- Tips for navigating feasibility and identifying an ECU supplier that fits your needs.
- Popular May 2019’s Raptor Training class
- Innovative electric rock crusher application
to help get you started.
EV and HEV Products
Great new products join the Raptor family, making it faster, easier and more reliable than ever for you to take your EV/HEV machines on a path from concept to production. Here are a few of our favorite additions:
- GCM80 joins the Raptor product line as an eVCU offering high-volume ECU with 4 CAN, LIN and seamless integration with Raptor’s development tools and process.
- HV Heater & A/C options for 400V EV systems from Mitsubishi are production-validated automotive units ideal for EV/HEV projects.
- Axial Flux Motors from Magelec are permanent magnet motors improving EV efficiency while offering flexible design options.
- RMS/BorgWarner Next Generation Inverters are designed for volume OEM and heavy equipment EV and HEV applications.
Get details on these and more EV and HEV product options for your on and off-road machines by visiting our Product Wiki.
Starting an EV/HEV Project?
If you’re beginning an electric drivetrain project, request New Eagle’s Feasibility Guide. Created by safety-certified engineers, its valuable insights help navigate this “phase zero” stage of development so your project gets on the best path to production.
Identifying a Production ECU Supplier
For developers navigating the early stages of machine development, selecting a production ECU supplier is one of the most important decisions to make in the process. Unfortunately, it’s not an easy one. Find out what you should ask and look for before selecting a supplier for your project.
May 2019 Raptor Training
Our popular Raptor Training program returns to New Eagle’s Headquarters in Ann Arbor, Michigan on May 7-9, 2019.
In this three day class, attendees will build on the fundamentals of embedded model-based design using the Raptor platform’s Raptor-Dev and Raptor-Cal, while applying controls, embedded systems and MATLAB Simulink/Stateflow knowledge.
Space is limited, so register before it runs out!
Featured Application: Electric Rock Crusher
Our application engineering team leveraged Raptor™ to electrify Kolberg-Pioneer’s industrial rock crusher, creating a solution Kolberg-Pioneer hopes to scale to a new generation of electric-power machines. Read how in this case study.
Be among the first to know about new product additions, upcoming events, and exclusive insights by subscribing to our eNews.
As autonomous vehicle technology continues its rapid advancement, more and more developers struggle to identify a platform bridging their autonomous command system with vehicular actuation that is easily scaled to production. While there are a number of research-geared solutions on the market, few offer the safe, automotive-grade components necessary for a seamless transition to production.
For developers serious about bringing their autonomous technology to market, a platform comprised of automotive-grade components, like New Eagle’s drive-by-wire kits, could prove the solution they need.
Drive-By-Wire Kits: Uniting AI and Automotive
New Eagle’s drive-by-wire kits allow developers’ AI systems to interface using ROS. Translating these ROS commands into CAN signals, the drive-by-wire kit delivers reliable control over throttle, brake, steering and shifting in production vehicles. Combining production, automotive-grade hardware with proven control software, New Eagle’s drive-by-wire kits offer developers a solution better-aligned to meet production requirements than research-intent alternatives.
Designed with Safety First
Designed by safety-certified engineers, all drive-by-wire kits include seven driver intervention overrides to ensure safe vehicle operation. From command, steering, throttle, shift, brake, and e-stop overrides, to an innovative “heartbeat” system that regularly checks for reliable connection between vehicle and autonomous command center, New Eagle’s drive-by-wire solutions are ideal, safety-focused platforms for advancing autonomous technology to production.
More Kits, More Possibility
With kits available for a growing number of production vehicles including the Toyota Prius, Chrysler Pacifica, Jeep Grand Cherokee, and Volvo Class 8 Truck, autonomous system solutions like the drive-by-wire aren’t just supporting faster and safer development–they’re expanding the horizons for real-world autonomous application.
From passenger mobility to fleet and off-road applications, autonomous advancement is now more accessible than ever with innovative control solutions like the drive-by-wire kit. Learn how New Eagle’s drive-by-wire kit could support your autonomous goals and path to production by discussing your project with our engineers. To see the drive-by-wire kit in action, watch the video below.