Radical changes are propelling the automotive industry forward as electrification transforms vehicles from mechanical systems into electronic wonders. Massive advances in sophisticated electronics and computer systems are making self-driving cars a reality. In response, automotive manufacturers and suppliers have rallied around the concept of “functional safety” detailed in the evolving ISO26262 standard, which is set to transform the automotive design process for safety-focused electrical (E/E) systems. As vehicles become more autonomous and drivers increasingly reliant on electronics, the ISO26262 standard will ensure and enhance the safety of vehicles, individual systems, and their underlying components.
As shown in Figure 1, the automotive industry has standardized on six levels for classifying autonomous vehicle systems. While these ratings have made it easier to classify vehicles, safely realizing Level 4 and Level 5 (semi- and fully autonomous) systems has proven quite difficult. Any malfunction in a Level 4 or Level 5 system can directly lead to injury or even death. Functional safety seeks to prevent systems and components from introducing unreasonable risks. At the same time, it provides the automotive manufacturer a framework for legally demonstrating that functional safety has been achieved throughout the life cycle of an E/E system.
Risk and safety are so central that the standard actually defines these terms. Risk is a combination of the probability of the occurrence of harm and the severity of that harm. Unreasonable risk, therefore, is risk that is judged to be unacceptable in a certain context according to valid societal moral norms. Safety, in this paradigm, is simply the absence of unreasonable risk. The ISO26262 standard uses a holistic approach to ensure safety or, in other words, eliminate unreasonable risk.
Functional safety shifts the focus of the entire design cycle and company culture to safety. As shown in Figure 2, the standard encompasses people, processes, and the end product. This is key because, unlike other standards, designers are the central focus. The vehicle designers, system designers, and even individual component designers must all understand how to implement functional safety in all aspects of the design.
Furthermore, the training regimen and company culture must cultivate a “culture of safety”. New processes outlined by the standard support the safety culture with standardized ways of determining and documenting requirements and various safety-related decisions and analyses. Finally, the people and process ultimately create a better, safer product. Many designers have found that the rigorous analysis and documentation required by ISO26262 to ensure functional safety also improve their product’s design and quality. The three core aspects of ISO26262 provide the context needed to understand how the standard is implemented in actual designs.
Implementing functional safety requires a system-level view with the goal of eliminating systemic faults and mitigating random faults in the vehicle. Here, a systematic fault is defined as an error in definition, design, tools, processes, or other failure that can only be addressed by qualitative analysis. Functional safety largely relies on the safety culture and safety processes to mitigate these faults. Random faults, on the other hand, include permanent faults and transient faults that can be evaluated using qualitative and quantitative analysis. The ISO26262 methodology addresses both types of faults. A design starts with the vehicle manufacturer identifying the safety goals at the vehicle level.
Using a defined decomposition process, the vehicle safety goals are translated into safety goals for the lower-level systems and components. The designers then allocate risks to each system and the individual components within it. This, in turn, drives the selection of components that can meet the allocated risk. If a component cannot meet the allocated risk, then a different component must be selected, or safety mechanisms must be implemented around that component. Finally, a technical analysis is performed to prove that a component is suitable for the allocated safety it is responsible for. This safety-focused approach provides automotive designers with a framework for eliminating systematic faults and dramatically reducing random ones.
The ISO26262 standard provides many processes and mechanisms to aid designers in following this new methodology. One of the most useful and important is the “V” model, shown in Figure 3. The basic concept of the “V” model is that requirements flow down from the concept level to the actual implementation. For example, in Figure 2, the “V” starts with the technical safety concepts, which include the technical safety requirements (TSRs), safety mechanisms (SMs), and hardware-software interface (HSI). Next, the design team determines the specifications of the hardware safety requirements (HSRs) and the hardware architecture. Only when these two are complete is the detailed hardware design created.
The entire requirements process includes ISO26262-compliant revision control and traceability documentation. The design team then reviews the design to determine if there is a single-point failure mechanism (SPFM) or latent-fault mechanism (LFM). This analysis is then used to calculate the probabilistic metric for random hardware failure (PMHF), and the design is improved as needed. Now, the design team climbs the right side of the V and performs the hardware integration and verification, followed by system integration and safety validation. As before, revision control and traceability are maintained at each step of the process. By following the V model, designers ensure that the design begins and ends with functional safety as its core tenet.
One of the most fundamental steps in the entire functional safety process is for the vehicle manufacturer (OEM) to evaluate the vehicle-level safety requirements. This is called a hazard analysis and risk assessment (HARA), and it creates a basis for the entire project. The HARA starts with the vehicle design team compiling a list of hazardous events. Each event is evaluated with respect to severity, exposure, and controllability with a 1-3 scale assigned to each aspect. For example, an event with a severity of S1 has a low to moderate risk of causing injury. From this analysis, each hazardous event is assigned an ASIL rating from A to D, with D representing the highest risk of injury.
The vehicle design team then defines safety goals (SGs) to counter the hazardous events, and a hierarchy of safety requirements (SRs) is created to address each safety goal, with each SG and SR inheriting the ASIL rating of the hazardous event it addresses. These requirements are then used to drive the design of the safety-related electronics.
Another aspect of the new standard that can quickly become complex is documentation. The two key pieces of documentation required by the standard are work products and safety cases. The documents resulting from ISO26262 activities are called the work products. Work products include verification documents, functional safety assessments, and functional safety audits. For each item in the design, a safety case is created from the work products. The safety case is a documented argument that the item is free of unreasonable risks. These two document types complement one another to form the basis for the ISO26262 documentation process.
For automotive system designers, one of the most impactful aspects of ISO26262 is the effect it has on component selection. Some components now claim to be “ASIL-D compliant.” However, this is very misleading as ASIL compliance and ISO26262 are done at the vehicle level. Actually, components developed according to ISO26262 are suitable for use in an ASIL-D system but are not directly “compliant” to either standard. In addition, many safety-related components are not developed for a specific item in the vehicle and may be used in many different systems. For example, one of Silicon Labs’ isolated gate drivers may drive the FETs in the traction inverter or the onboard charger.
This type of component is referred to as a safety item out of context (SEooC), in which the safety requirements were not passed down to the component designer. Instead, the component designer had assumptions of use (AoU) for the component which the system designer must review. Components developed according to ISO26262 typically include a safety manual, which includes the assumptions of use and relevant work products the system designer can use to evaluate the safety of system components. The safety manual and component supplier’s deep knowledge of ISO26262 help ensure the functional safety of the system built with the SEooC.
While safety has always been a critical element in vehicle design, the advent of semi-autonomous and fully self-driving cars has forced the automotive industry to rethink how to build safe electronic systems. Each electronic component, device, and system that impacts vehicle safety must reach a new level of sophistication if the driver is to safely relinquish control. Functional safety and ISO26262 create more than just a dramatic shift in design methodology; they make safety a part of the vehicle design culture. The resulting improvements and innovations in safety from the ISO26262 standard will ensure that electrical systems are ready for the autonomous vehicles of the future.