Sunteți pe pagina 1din 10

AUTOMOTIVEBASICS

Justacollectiveinformation

ISO26262

Automotivesafety:AnISO26262perspective
BenefitsofISO26262
ImplementingISO26262ensuresthatahighlevelofsafetyisbuiltintocarcomponentsrightfrom
thestart.Thestandardcanbeusedtoestablishasafetymanagementsystembasedon
internationallyrecognizedbestpracticesandthelatestapproachtoriskmanagement,givingyoua
competitiveedge.ItisexpectedthatcarmanufacturerswillusecompliancetoISO26262asa
meanstoqualifycomponentsandpotentialsuppliersofE/Ecomponents.
WhatisISO26262?
ISO26262isamultipartstandarddefiningrequirementsandprovidingguidelinesforachieving
functionalsafetyinE/Esystemsinstalledinroadvehicles.ThestandardISO26262isconsidereda
bestpracticeframeworkforachievingfunctionalsafetyinroadvehicles.

(https://automotivetechis.wordpress.com/iso26262/untitled11/)
ScopeofISO26262
Hardware/Softwaresuchaselectric/electronicdevices
Partsorsystemsthatmaysignificantlyimpactonhumanlivesincaseofmalfunction/failureare
considered.
Equipmentthatconsistsonlyofmachineryisoutofitsscope
TheentireLifeCycleofautomotiveproducts
Motorvehiclesupto3500kg
TheentireLifeCycleofautomotiveproducts
TheframeworkprovidedbyISO26262dealswiththefunctionalsafetyof:
Products.Thestandardrequiresasafetycaseandanumberofconfirmationmeasurestobe
appliedduringtheproductlifecycle
Processes.Thestandardrequiresspecificlifecycleprocessestobeimplementedwithinasafety
managementsystemdrivenbyariskbasedapproach.
Safetyhasbeenakeyaspectintheautomotiveindustryevenfromitsearlieststages,butthe
importancewithwhichitisregardedhasbecomefargreaterinrecenttimes.Currentlythebiggest
compoundannualgrowthrate(CAGR)inautomotiveelectronicsrevenuecanbeattributedto
safetyapplications.Increasinglycarmanufacturersaremakingsafetyakeysellingpointwith
whichtodifferentiatethemselvesfromtheircompetition.Butwithagrowingamountofelectronics
contentmakingupacarsbillofmaterials,thereisnowanecessitytoswitchfromthelong
establishedbestpracticesapproachtowelldefineduniversalguidelines.Asaresult,industry
protagonistshavejoinedforcestodevelopastandardwithfarreachingimplications.
Thewordsafetyissubjecttovariousdifferentinterpretations.However,whenappliedto
modernautomobiledesignitcangenerallybecategorizedusingthefollowingstructure:
1.Passivesafety:Assumingthatanaccidentiseffectivelyinevitable,theaimofpassivesafety

1.Passivesafety:Assumingthatanaccidentiseffectivelyinevitable,theaimofpassivesafety
mechanismsistominimizetheseverityofthataccident.Thepassivesafetyelementsfoundwithin
avehicleincludeseatbelts,crumplezones,etc.
2.Activesafety:Thesystemsthatareconcernedwithactivesafety(basedontheknowledgeofthe
currentstateofthevehicle)willaimtoavoidaccidentsaltogetherinadditiontotheminimization
ofitseffectsifanaccidentoccurs.Seatbeltpretensioning,airbagdeployment,predictive
emergencybraking,antilockbrakingsystemsandtractioncontrolareallexamplesofthis.
3.Functionalsafety:Thisfocusesonensuringthatalloftheelectricalandelectronicsystems(such
aspowersupplies,sensors,communicationnetworks,actuators,etc),including(butnotlimitedto)
all;activesafetyrelatedsystems,functioncorrectly.FunctionalsafetyisdealtwithbytheISO
26262standard(publishedinNovember2011).
StructureofISO26262:

(https://automotivetechis.wordpress.com/iso26262/26262large/)

Itisimportanttostatefromthebeginningthatfunctionalsafetydoesnotmeanthatthereisnorisk

Itisimportanttostatefromthebeginningthatfunctionalsafetydoesnotmeanthatthereisnorisk
ofamalfunctiontakingplaceinstead,functionalsafetyimpliestheabsenceofunacceptablerisk
duetohazardscausedbymalfunctioningbehaviorofelectricalandelectronicsystems.

(https://automotivetechis.wordpress.com/iso26262/iso/)

ISO26262SoftwareCompliance:Achieving
FunctionalSafetyintheAutomotiveIndustry

Introduction:FunctionalSafetyInTheAutomotive
Industry
Electronicsystemscarryoutmanyfunctionsinmodernautomobiles,includingdriverassistance
functions,vehicledynamicscontrol,andactive/passivesafetysystems.Thecomplexityof
electronicallydrivenoperations,especiallysafetyfunctions,makespredictingsafety
performanceextremelydifficult.Moreactionwillberequired,furthermore,toreducetherisksof

performanceextremelydifficult.Moreactionwillberequired,furthermore,toreducetherisksof
systematicandrandomhardwarefailuresassystemcomplexitycontinuestoincrease.
ISO26262isafunctionalsafetystandardintendedtobeappliedtothedevelopmentofsoftware
forelectricaland/orelectronic(E/E)systemsinautomobiles.ISO26262isanadaptationofthe
broaderIEC61508safetystandard,whichhasbeenusedtoderivesafetystandardsforthe
nuclearpower,machinery,railway,andotherindustries.Itisaimedatreducingrisksassociated
withsoftwareforsafetyfunctionstoatolerablelevelbyprovidingfeasiblerequirementsand
processes.

AboutISO26262:
ISO/DIS26262istheadaptationofIEC61508(http://en.wikipedia.org/wiki/IEC_61508)tocomply
withneedsspecifictotheapplicationsectorofE/Esystemswithinroadvehicles.ISO26262covers
functionalsafetyaspectsoftheentiredevelopmentprocess(includingsuchactivitiesas
requirementsspecification,design,implementation,integration,verification,validation,and
configuration).Thestandardprovidesguidanceonautomotivesafetylifecycleactivitiesby
specifyingthefollowingrequirements:
Functionalsafetymanagementforautomotiveapplications
Theconceptphaseforautomotiveapplications
ProductdevelopmentatthesystemlevelforautomotiveapplicationsSoftwarearchitectural
design
ProductdevelopmentatthehardwarelevelforautomotiveapplicationsSoftwareunittesting
Productdevelopmentatthesoftwarelevelforautomotiveapplications
Production,operation,serviceanddecommissioning
Supportingprocesses:interfaceswithindistributeddevelopments,safetymanagement
requirements,changeandconfigurationmanagement,verification,documentation,useof
softwaretools,qualificationofsoftwarecomponents,qualificationofhardwarecomponents,
andproveninuseargument.
AutomotiveSafetyIntegrityLevel(ASIL)orientedandsafetyorientedanalyses

WhatISO26262DoesNotCover
UniqueE/Esystemsinspecialpurposevehiclessuchasvehiclesdesignedfordriverswith
disabilities
Hazardsrelatedtoelectricshock,fire,smoke,heat,radiation,toxicity,flammability,reactivity,
corrosion,releaseofenergyandsimilarhazards,unlessdirectlycausedbymalfunctioning
behaviorofE/Esafetyrelatedsystems
NominalperformanceofE/Esystems

NominalperformanceofE/Esystems

ExampleforFunctionalSafety:

(https://automotivetechis.wordpress.com/iso26262/untitled12/)

SpecificSoftwareDevelopmentSectionsInISO26262
Part6ofthestandardspecificallyaddressesproductdevelopmentatthesoftwarelevel.
Requirementsforthefollowingdevelopmentactivitiesarespecified:
Initializationofproductdevelopment
Specificationofsoftwaresafetyrequirements
Softwarearchitecturaldesign
Unitdesignandimplementation
Unittesting
Softwareintegrationandtesting
Verificationofsoftwaresafetyrequirements.
WhatisfunctionalsafetyinaccordancewithISO26262?
ISO26262focusesonthefunctionalsafetyofelectricalandelectronic(E/E)systemsinvehicles.

ISO26262focusesonthefunctionalsafetyofelectricalandelectronic(E/E)systemsinvehicles.
FunctionalsafetyinaccordancewithISO26262affectsallsystemscontainingelectrical,electronic,
orelectromechanicalcomponents,i.e.systemsfromthefieldsofactuatorandsensortechnologyas
wellascontrolelectronics.IndustrialsystemsingeneralarecoveredbyIEC61508,with
additionalsectorspecificstandardsapplyingtorailroadtechnology,aircrafttechnology,etc.ISO
26262isthesectorspecificextensionofIEC61508fortheautomotiveindustry.
Functionalsafetyisconcernedwiththeabsenceofunreasonablerisktoindividualscausedby
potentialmalfunctionsinE/Esystems.Functionalsafetyisthereforeconsideredasystem
property.Knownactiveandpassivesafetysystemsdifferinthatactivesafetyisprimarily
concernedwithproactiveaccidentprevention(throughthevehicledriversdrivingability,but
alsoelectronicsystemssuchasACC,ABS,ESP,etc.),whereaspassivesafetyrelatestothereactive
mitigationoftheconsequenceswhenanaccidenthasalreadyoccurred(e.g.safetybelts,butalso
electronicsystemssuchasairbags,belttensioners,etc.).Theelectronicsystemsforactiveand
passivesafetymustthemselvesbefunctionallysecuresincemalfunctionsinthesesystemscould
alsocausepersonalinjury.Functionalsafetyfocusesprimarilyonrisksarisingfromrandom
hardwarefaultsaswellassystematicfaultsinsystemdesign,inhardwareorsoftware
development,orinproduction,throughtothecommissioning,repair,andwithdrawalofthe
system.
Tothisend,ISO26262comprises10sectionswitharound750clausesonapproximately450pages,
whichdealwithsystemdesign,hardware,software,andtheassociateddevelopmentprocesses
amongotherthings.Thesafetylifecycleplaysanimportantroleinthisregard.Thesafetylifecycle
governstheidentification,design,monitoring,andevaluationofthevariouselementsinvolvedin
anindustrystandardVmodelincausalsequence.Thetermfunctionalsafetyshouldnotbe
confusedwithor,worsestill,equatedtoproductcharacteristicssuchasreliability,availability,
andsecurity1.Reliabilitydescribestheprobabilityofasystemperformingitsassigned
functionwithinaparticularperiodoftime.Availabilitydescribesthepercentageofasystems
entireservicelifeduringwhichitcanbeusedtoperformitsassignedfunction2.
ISO26262itselfisnotacertificationstandardandthereforecontainsnoclausesregulating
certificationsorthescopethereof.Fromthepointofviewofthestandard,thereisnorequirement
tocertifysystems,componentsorprocessesagainstit;neitheristhisstandarddirectlyrelevantfor
vehicleregistration.ExperienceinimplementingISO26262hasshownthat,formanyofthosethat
applythestandard,itisworthobtaininganexternalassessmentaswellascertification.The
contentofthesechecksarecurrentlybeingfinalizedbythecompetentcertifyingbodies.
Fromalegalpointofview,ISO26262doesnotbringaboutanydirectchangeinthelegal
situation.Theprovisionsofproductliabilityandliabilityformaterialdefectscontinueto
apply.Withregardtootherlegalaspectssuchasreversaloftheburdenofproof,referenceismade
totherelevantlegalpublications.Ingeneral,professionalstandardsaredeemedrelevantwhen
assessingthestateoftheart,meaningthatISO26262isnaturallyofindirectlegalimportance.
Totakeaccountofthesupplystructureintheautomotiveindustry,ISO26262contains
requirementsforregulatingsafetyrelevantresponsibilitiesinthecaseofsplitsitedevelopment.
ThisisthepurposeoftheDevelopmentInterfaceAgreement(DIA),whichcoverstheexplicit
detailedagreementbetweenthecompaniesinvolvedattheirinterfaces.Asexplainedinthe
followingsection,itisinnowaysufficientforacustomersimplytomakeageneralrequestto

followingsection,itisinnowaysufficientforacustomersimplytomakeageneralrequestto
hissuppliertoworkinanISO26262compliantmannerorjusttostateaparticularsafety
classification.Anexplicitagreementonatechnicallevelof,inparticular,safetyobjectives,the
classificationofsafetygoals,andthesafetymeasurestobeimplemented,etc.isalsoessentialto
ensurethedevelopmentofasafeproductaboveandbeyondsupplyboundaries.
HowisfunctionalsafetyinaccordancewithISO26262achieved?
Thesafetylifecyclestartswithadefinitionofthesystemtobeconsideredatvehiclelevel(item).
Forthepurposesofillustration,letustaketheexampleofanairbagsystem.Thenextstepisto
carryoutahazardanalysisandriskassessmentforthesystemtobeconsidered.Onepotential
hazardinanairbagsystemwouldbetheairbaginflatingunintentionally.Acorrespondingsafety
goalmustnowbedeterminedforeachhazard.Inthisexamplecase,onesafetygoalwouldbeto
preventtheairbagfrominflatingunintentionally.Typically,alargenumberofsafetygoalsare
identifiedatthispoint.EachsafetygoalisthenclassifiedeitherinaccordancewithQMorin
accordancewithoneoffourpossiblesafetyclasses,whicharetermedAutomotiveSafetyIntegrity
Level(ASIL)inthestandard,withthefourlevelsbeingtermedASILAtoASILD.TheratingQM
indicatesthatastandardqualitymanagementsystem,e.g.inaccordancewithISO/TS16949,and
theobservanceofestablishedstandardssuchasAutomotiveSPICEaresufficienttoachievethe
correspondingsafetygoalandthatnoadditionalrequirementsneedtobetakenfromISO
26262.ThenexthighestratingASILAinaccordancewithISO26262indicatesthelowestsafety
classification,ASILDthehighest.TheASILisdeterminedforeachsafetygoalwiththeaidofan
allocationtablecontainedinthestandard.Threeparametersareevaluatedineachcase.Theseare:
Exposure,i.e.howoftenthevehicleisinasituationinwhichthepeopleinvolved,e.g.driver,
passengersorotherroadusers,maybeputatrisk,Controllability,i.e.howwelltheindividuals
involvedcanhandleaninfringementofthesafetygoal,Severity,whichquantifiestheseriousness
oftheconsequencesthatmayarisefromabreachofthesafetygoal.
TheunintentionalinflationoftheairbagistypicallyclassifiedasASILD.
SafetygoalsmustbeimplementedinaccordancewiththeclassifiedASILs.Inotherwords,suitable
processesandmethodsmustbeimplementedtoavoidsystematicfaultsandcorresponding
additionalrequirementsmustbeappliedtotheproducttorectifytechnicalfaults.Thisisdone
initiallybydefiningafunctionalsafetyconcept.Intheexamplecase,thiscouldbearedundancy
conceptcomprisingacontrolchannelandanindependentmonitoringchannel.Theairbagwould
onlyinflateifbothchannelswereinaccordancewitheachother.
Thetechnicalaspectsarethenfleshedoutinatechnicalsafetyconcept.Intheexamplecase,a
safetyarchitecturecouldbedefinedwithasufficientnumberofindependentsensors,witheach
channelhavingtoenablethetriggercircuitindependentlyforthefunctionalsafetyconcepttobe
realized.ThearchitecturecouldalsoincludesafetymeasuresimplementedoutsidetheE/Esystem
(e.g.usingmechanicalpreventivemeasures).Theimplementationofsuchmeasuresdoesnot,
however,fallwithinthescopeofISO26262.Thecorrespondingstandardsmustbetakeninto
accountinthisregard.

Thehardwaresafetyrequirementsandsoftwaresafetyrequirementsarenowdeterminedbasedon

Thehardwaresafetyrequirementsandsoftwaresafetyrequirementsarenowdeterminedbasedon
thetechnicalsafetyconcept.Thefollowingobjectivesareparticularlyimportant:achievingor
maintainingsufficientindependenceinredundantsystemstructures(dependentfailure
avoidance),achievingspecificmetricsintheevaluationofhardware(singlepointfaultmetric,
latentfaultmetric)Thesystemintegrationisfollowedbythesafetyvalidation,thefunctional
safetyassessmentandthereleaseforproduction,withthespecificrequirementsofISO26262being
basedontherelevantASILclassificationofthesafetygoals.
Thescopeofthestandardalsocoversproductionandoperationofthesystemthroughtoits
decommissioninginthefield.Theairbagisaparticularlygoodexampleofhowtheunintentional
inflationoftheairbagmustbeavoidedevenattheendofaproductslifecycle.
Needforinternalexpertise
Functionalsafetyisacomplextopic
Functionalsafetystandardsaredifficulttomaster
Furtherchallenges
ISO26262canleadtomultipleinterpretations
Manycompanies/consultantswere(andstillare)verymuchIEC61508focused
Butautomotivehasdifferentconstraintstoconsider
Oftenconceptofsafety,availabilityandreliabilityaremixedupItmustalwayswork.Then
needstocomplytoISO26262!
ISO26262terminologyisstilloftenreadwithIEC61508eyesleadingtomany
misunderstanding.
ExampleIEC61508:ItemisanelementofthefinalControlSystemISO26262:Itemisthe
finalsystematvehiclelevel
Basedonthefunctionalsafetyconcept,thetechnicalsafetyconceptsarederived.
Thetechnicalsafetyrequirementsaremappedtosystemelementswhicharehardware
orsoftwarebased.
Ifasystemcomponentfails:
1.meansneedtobespecifiedwhichwilldetectthefailure(selfcontrol)and
2.areactionneedstobepresentwhichwilltransitionthesystemintoasafestate.
3.Afterhardwareandsoftwaredevelopment,thereishardwareandsoftwareintegration,
followedbysystemintegrationandvehicleintegration.
Itemintegration:
1.Experimentaltesting(timeandcostintensive)
2.ReconfigurationofHWandSW
3.Timingbehavior(Analytics)
4.IndependenceandInterference
Pleasereferthefollowingdocumentsforautosarsafetyinformation:

Pleasereferthefollowingdocumentsforautosarsafetyinformation:
1.AUTOSAR_Methodology(https://automotivetechis.wordpress.com/iso
26262/autosar_methodology/)
2.AUTOSARandfunctionalsafety(https://automotivetechis.wordpress.com/iso26262/autosar
andfunctionalsafety2/)
3.FUNCTIONAL_SAFETY(https://automotivetechis.wordpress.com/iso26262/functional_safety/)

[youtubehttp://www.youtube.com/watch?v=fSlmGib0oRM]
BlogatWordPress.com.