Safety is of primary importance in the whole design and development process of an automotive project. Although provisions ensure the safe development of components in a distributed process, potential failures may go unnoticed, requiring thorough system-wide safety evaluation and verification. Complex electrical systems face many potential failure causes, such as issues in specification, design, testing, or production. Verification of a solid development process with accurate elaboration of design and testing concepts is crucial.
To ensure safety, a hierarchical approach of the ISO26262 will be followed.
Figure 1. Technical workflow – hierarchical approach of the ISO26262.
Hazard and Risk Analysis
Following the initial safety plan and item definition, Hazard and Risk Analysis (HARA) process will be performed. HARA is an approach that involves identifying potential relevant hazards, assessing the related risks for a specific application and defining safety goals to mitigate these risks. It begins with a list of malfunctions that may occur at the item’s functional level, due to potential shortfalls or unintended behaviours of the high-level functions. Starting from the main functions of the platforms described in system architecture and the associated potential failures of the functions (malfunctions), the HARA process identifies the potential effects (potential functional hazardous events). Each identified functional hazardous event is then analysed to determine the level of risk it possesses, evaluating the Automotive Safety Integrity level (ASIL, as defined in ISO 26262 standard) based on severity, exposure, and controllability of the malfunction. The necessary risk reduction measures are specified for the prevention or mitigation of the associated hazardous event. These safety goals guide the development of safety requirements, which are then implemented and verified to ensure the system’s functional safety.
Safety Goals
When implementing the safety goals, the analysis shall consider the following functional activities:
− Ensure the safety of the passengers and other road participants.
− Identify, detect, monitor and limit any malfunctioning behaviour that can occur.
− Put the vehicle into a safe mode.
The Safety Goals should cover all the use cases linked to the mission profile of the vehicle. A family vehicle will, for example, incorporate different safety goals than a heavy-duty off-road SUV.
Functional Safety Concept and Technical Safety Concept
The detailing and allocation of safety goals to lower architectural levels is documented in the functional- and technical safety concept. Both functional- and technical safety concepts consist of requirements and their allocation to a system architecture, their main difference is the level of detail on which they are written.
The functional safety concept describes the system level requirements necessary to implement the safety goals and allocates them to architectural elements, as well as defining necessary interactions between those elements. At least one functional safety requirement shall be specified for each safety goal. The functional safety concept shall be verified (according to ISO 26262) to provide evidence of its consistency and compliance with safety goals and its ability to mitigate or avoid hazards.
Technical safety requirements are derived for implementation of associated functional safety requirements on a lower system- or subsystem level, defining concrete technical behaviour of the safety related elements. Each functional safety requirement can be split into many technical safety requirements to allow covering the specification of the descried behaviour or characteristic. Besides the specification of intended functionalities, a main task of the technical safety concept is the description of safety mechanisms for the detection and handling of faults as well as the prevention of system failures. Safety requirements must be verified according to the specifications of ISO26262.
System Architecture Design Specification – Safety Aspects
For their implementation, functional- and technical safety requirements, they are allocated to system architectural elements. Whereas functional safety requirements are still on system level without describing if the intended functions are implemented as hardware or software, the technical safety requirements are already assigned to the implementation domains of hardware and software. The system architecture design specification should be informed in an iterative manner in collaboration with the safety activities. Deductive and inductive analysis approaches such as Failure Mode & Effect Analysis or Fault Tree Analysis are carried out along with checklist reviews according to ISO 26262 to verify the appropriateness of the safety concepts, finalized by an independent confirmation review to ensure that the defined concept will be able to fulfil the defined safety goals. Subsequently, the design enters the hardware- and software implementation phase with its own processual requirements, followed by a system integration testing phase, where the necessary evidence for the systematic capability of the functional- and technical safety concept implementation is collected.
CertX as your partner for functional safety
If you have any questions about automotive safety standards, particularly about the ISO26262 series of standards, please do not hesitate to contact our functional safety experts.