At the end of 2018, the long-awaited update to the ISO 26262 standard was finalized and published. This new version expands the scope of the original 2011 publication to incorporate additional safety measurements and industry segments beyond the original passenger vehicle applications. With this expansion, many of our customers are coming to us with the same questions: Does this updated standard apply to my project and how do I incorporate it into my development process?
Does the ISO 26262 Apply to Your Project?
Although the ISO 26262 standard can seem complex and overwhelming, we can guide you in the right direction and help you to answer the important questions. With our team of Automotive Functional Safety Engineers (AFSEs), we will show you a path to production that incorporates the necessary safety standards that are required for today’s various industries. We will assist your company in clarifying whether the updated ISO 26262 standard applies to your project, conduct a risk assessment of your product and development cycle, provide you with ISO capable hardware, and teach you how to incorporate the required development processes necessary to achieve the safety standard.
What is ISO 26262?
ISO 26262 is an international standard for road vehicles that provides a framework for functional safety throughout the progression of electrical and electronic (E/E) systems development. While some requirements are product-specific, others focus on the safety regulations throughout the development lifecycle. These standards demonstrate how companies should integrate functional safety into their development process, providing regulations and recommendations on how to achieve appropriate functional safety measures. To put it simply, this is a common standard that measures and verifies the safety of a system before it is put into service.
ISO 26262 uses a system of steps to provide companies with a way to manage the functional safety and regulate product development on the system, hardware, and software from conceptual development through decommissioning. The steps include administering an automotive risk-based approach to determine the risk classes of a system, called Automotive Safety Integrity Levels (ASILs). It also includes practices that validate and confirm that a vehicle sufficiently reaches an acceptable level of safety.
What Revisions Were Made to ISO 26262 In 2018?
The 2018 revision to the ISO 26262 standard, titled “Road Vehicles – Functional Safety,” includes industry feedback and updates based on advances in technology since the standard was originally published. The standard was reconstructed to provide more detailed objectives and extensions to the overall vocabulary. Additions to the ISO standard include:
- Objective oriented confirmation measures
- Management of safety anomalies
- References to cyber-security
- Updated target values for hardware architecture metrics
- Evaluation of hardware elements
- Additional guidance on dependent failure analysis
- Guidance on fault tolerance, safety-related special characteristics, and software tools.
- Guidance for model-based development and software safety analysis
In addition, two completely new standards were added to the document: ISO 26262-11 for Semiconductors and ISO 2626-12 for Motorcycles.
The main addition that is concerning our customers is the revision that increases the scope of the standard beyond light-duty, automotive passenger applications to include trucks, buses, trailers, semitrailers, and motorcycles.
How and When Does ISO 26262 Apply to Your Project?
Firstly, let’s address when your system is not required to abide by the newly released ISO 26262 standard. Unique E/E systems in special vehicles are exempt from the standard, including:
- Systems designed for drivers with disabilities
- Systems and any components released for production prior to the publication date
- Systems and any components under development during the publication date
The standard is intended to be applied to safety-related E/E systems in production road vehicles, which are any vehicle used by or used among the general public. As stated above, this now incorporates trucks, buses, trailers, semitrailers, and motorcycles. In addition, if you are conducting alterations to an existing system that was released for production prior to the publication date, then it falls within the scope of the updated standard.
What Does an ASIL Requirement Mean and How is it Determined?
In order to understand what ASIL requirements are, we must first look at Hazard Analysis and Risk Assessments (HARA). HARAs are used to identify and classify hazardous events caused by malfunctioning behaviors within the system. Each hazard is assessed based on the relative effect the hazardous incident could have on the overall E/E system and is dependent on the probability of the hazard actually manifesting. The assessment also takes into account the severity of potential bodily injuries that could be attained by the driver or other passengers within the relative amount of time the vehicle is exposed to the hazard, as well as the probability of whether a typical driver could prevent injury from occurring. Once all the hazards are assessed, the HARA process creates safety goals to prevent or reduce each hazard, assigning each safety goal an Automotive Safety Integrity Level (ASIL).
ASILs are an automotive specific, risk-based approach that determine the risk classes and integrity levels of each safety goal. They also determine if the safety goals abide by the ISO safety standard. The determination of the ASIL is a function of three variables: exposure, severity, and controllability.
Exposure – how often does the operational situation occur?
Severity – how severe is the potential harm?
Controllability – are the occupants, or operator, able to take control to mitigate any potential injuries?
Since the ISO 26262 standard was originally published in 2011, industry experience and practice in this area has formalized into “SAE J2980 – Considerations for ISO 26262 ASIL Hazard Classification.” This document provides guidelines as to what each level means in a typical scenario. For example, controllability class C2 ‘Normally controllable’ would be true if 90% or more of all drivers are usually able to take control and avoid the specified harm. The guidelines can act as a rule-of-thumb in cases that require a judgement call.
Once these three items are established for each safety goal, the ASIL can be determined using the chart below.
While a “quality managed” (QM) rating signifies that the safety goal is not severe enough to require specific regulations through the standard, those that are will be given a rating of ASIL A through ASIL D depending on the severity.
The determined ASILs will be further refined into Functional Safety Requirements (FSRs), incorporating these same ASIL designations. At some point throughout the development process, the requirements will be allocated to units (e.g. ECUs) for implementation.
The Cost of ASIL Compliance
The cost and complexity of compliance may increase by as much as an order of magnitude with each step, ranging throughout ASIL A to ASIL D. While ASIL A may have small limited effects on the development process, it is assumed that safety goals with an ASIL D rating have significant cost and timing effects for a program.
For example, to plan, execute, verify, and document compliance, the following effort multipliers could be considered:
Functional System : 1
ASIL A : 1.5x – 3x
ASIL B : 2x – 4x
ASIL C : 5x – 8x
ASIL D : 10x+
These multipliers depend heavily on current process maturity, system design, and system requirements. Specific requirements and obligatory work items for software, hardware, and tools are provided within the safety standard.
How Can ASIL Decomposition Save Time and Money?
ISO 26262:9 describes ASIL-oriented and safety-oriented analyses. One of which is ASIL Decomposition, whereby ASIL safety levels and requirements are decomposed over redundant and sufficiently independent elements within your design. As higher ASILs typically require higher costs, decomposition can help to meet safety requirements with reduced cost and effort.
Decomposing the different ASIL levels typically follows a predefined pattern, often occurring over multiple ASIL levels since the ISO standard allows for multilevel decomposition. The figure below shows an example of the decomposition of an ASIL D using three different approaches.
Decomposition of the different ASIL ratings throughout the system can occur over different elements, working down through the system, subsystems, software, and hardware. ASIL decomposition is typically performed manually and must result in redundant safety requirements allocated to design elements of sufficient technical independence. Here at New Eagle, we have certified staff and experience with ASIL tailoring, such as ASIL Decomposition, which may be applied within your project to save cost and time.
Path to Production
Based on your ASIL allocations after decomposition, you need to select an ECU to be utilized in your design that will best meet the requirements defined by the ISO 26262 standard. For each ASIL, you will likely have a list of required diagnostic coverage mechanisms. In a typical safety design, for example, processors integrate a self-checking safety monitor. Additionally, intended hardware typically includes pre-established safety features, such as error correcting code (ECC) and a programmable watchdog timer, to help detect system failures and runtime faults. A modern central processing unit (CPU) will utilize a multicore architecture with a hardware lock-step safety mechanism, which can significantly reduce complexity while improving reliability and availability. These modern architectures include built-in self-test and optimization to prevent common cause failures.
Using an off-the-shelf component in a safety design requires that the component be capable of executing the necessary functions, compatible with your system design, and well documented. Typically, the component would be documented as a Safety Element out of Context (SEooC). It’s important to understand which subcomponents in the ECU can be defined as a safety-critical dependent for an application, as these elements may be used in your safety design. Diagnostic coverage mechanisms must be in place and able to detect dangerous failures within these components in order for them to be used in a safety function. These assumptions should be documented by the ECU vendor within a Safety Manual, and must be taken into account. They provide constraints on the applicability of an off-the-shelf part for any given design.
Here at New Eagle, we have several Raptor™ hardware design options available for production projects that require ISO 26262. These safety capable ECUs target ASIL B – ASIL D, and include a range of I/O and communication interfaces.
- GCM196 / ECM196 –This ASIL B capable hardware design is built on the standard automotive e-gas monitoring concept commonly used for powertrain control. Depending on the results of ASIL Decomposition, this is an excellent option for multiple safety goals with various ASIL ratings. This control module has three CAN buses, one LIN bus, and a large variety of I/O.
- C48 – This powerful general-purpose control module is perfect for applications that require advanced performance, timing systems, and functional safety capabilities. The CPU is a high-performance multi-core architecture that can support the highest level of functional safety (ASIL-D).
- GCM121 – This ASIL C capable, general-purpose control module is perfect for applications that require advanced performance, timing systems, and functional safety capabilities. It has a broad communication capacity with its four CAN buses, two LIN buses, and one Ethernet bus.
- C112 – This powerful general-purpose control module is perfect for applications that require advanced performance and heavy communication requirements due to its four CAN buses, two LIN buses, and Ethernet capabilities. The CPU is a high-performance multi-core architecture that can support the highest level of functional safety (ASIL-D).
These examples illustrate a range of design options, which can be matched with your system requirements to create a solution compatible with your needs. All ISO 26262 production projects require safety planning and implementation assistance from our Functional Safety Certified staff. Please contact our sales team to discuss our available options.
Important Safety Standard Considerations
It is important to consider ISO 26262 safety standards when developing electronic systems, especially since this standard now incorporates a variety of road vehicle applications. Failing to do so and potentially overlooking possible vehicle malfunctions during the development process could result in liability issues for the manufacturer down the road.
For those companies that are unfamiliar with ISO 26262, seeking consultation from our AFSEs will help you to incorporate the safety standard into your development. Our engineering expertise and line of rugged, ISO 26262 capable hardware design options will help you build an efficient path to production.