/*Click the link at the bottom to read the original text and register online*/
Safety has always been a fundamental requirement in the automotive industry for functional and vehicle development. Especially during the current rapid growth period of ADAS penetration, functional safety is a very important and critical “bottom line guarantee” at every stage of research and development.
So, what is functional safety and ASIL?
The ISO 26262 standard defines functional safety as “the absence of unreasonable risk due to the malfunctioning behavior of electrical/electronic systems.” The Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined in ISO 26262 that specifies safety requirements. The ASIL value is determined by analyzing potential hazards and assessing various risk parameters (severity, exposure, and controllability).
ISO 26262 is a globally recognized standard for the design and development of automotive electronic/electrical systems. It is a framework for functional safety and an important part of the automotive product development lifecycle.
By conducting hazard analysis and risk assessment (HARA) on the corresponding automotive components (hardware/software), safety goals for each component are determined, and they are classified according to QM or ASIL levels under the ISO 26262 standard.
Safety goals essentially refer to the safety level required for automotive components to function normally without posing any threat to the vehicle. The ISO 26262 standard defines four values of ASIL: ASIL A, ASIL B, ASIL C, and ASIL D.
ASIL D represents the highest degree of automotive hazards, while ASIL A represents the lowest degree. There is also another level called QM, which indicates that no safety requirements are specified for the hazard.
The following figure shows the steps for determining the ASIL level of the ABS system.
For any specific fault defined at the vehicle level, hazard and risk analysis (HARA) helps determine the risk level of causing harm to people and property.
Once this classification is completed, it will help determine the processes and risk reduction levels required to achieve tolerable risk. Safety goals are defined for hardware and software processes in automotive design based on ASIL to ensure the highest level of functional safety.
These safety levels are determined based on three important parameters:
-
Exposure (E): This measures the likelihood of the vehicle being in a situation that may cause harm to people and property. Different levels of exposure, such as E1: very low probability, E2: low probability, E3: medium probability, E4: high probability, are assigned to the automotive components being evaluated.
-
Controllability (C): This determines the extent to which the vehicle driver can control the vehicle if the safety goal is violated due to a fault or failure of any automotive component being evaluated. The order of controllability is defined as: C1 < C2 < C3.
-
Severity (S): This defines the severity or intensity of damage or consequences to people (passengers and road users) due to a violation of safety goals. The order of severity is: minor to moderate damage S1, S2 indicates serious and life-threatening injury, S3 indicates a life-threatening event.
ASIL levels — ASIL A, B, C, and D — are assigned based on the allocation table defined in the ISO 26262 standard.Thus, the intensity of the hazard depends on the ASIL level of the components being considered. The allocation of ASIL helps determine how much threat a specific component’s failure may pose in different situations.
Under the ISO 26262 ASIL and functional safety framework, safety goals are more important than the functions of automotive components.
The determination of ASIL is a very critical process in developing high-reliability and functional safety automotive applications. Nowadays, automotive design is becoming increasingly complex, with more new suppliers entering the market, and a large number of ECUs, sensors, and actuators, making it even more important to ensure functional safety at every stage of product development and commissioning.
This is why traditional automotive manufacturers place great emphasis on meeting the highest automotive safety standards and complying with ISO 26262 standards and ASIL levels.
Taking the commonly used lane departure warning + assistance (LDW + LKA) in ADAS systems as an example, this function is responsible for warning the driver when the vehicle attempts to change lanes without the turn signal on in the same direction, while providing some steering assistance under certain conditions.
Currently, mainstream systems use a forward monocular camera to capture the lane markings on the road, and based on the relative position of the vehicle to the lane markings, lateral speed, and other information, the system alerts the driver through auditory, visual, and tactile means when detecting an unintentional lane departure.
Therefore, HARA is required. Below are examples of potential hazardous events that will help us understand the importance of identifying these hazards:
-
LDW + LKA may activate automatically even if the vehicle has not departed from the lane. This may cause the driver to become tense and even make incorrect corrective controls on the vehicle.
-
Display devices such as dashboards or other alert devices do not receive data input from the system (the driver may assume that LDW + LKA is working and may react too late), for example, the LDW + LKA warning program starts, but the warning light is not activated. This may also lead to accidents.
For instance, based on hazard analysis and risk assessment, the LDW + LKA function may activate under effective conditions, which may suppress the driver’s conscious steering (which can be dangerous). At the same time, the driver should be able to cancel the LDW + LKA system operation that moves in the opposite direction.
Therefore, in principle, the LDW + LKA system also needs to meet ASIL-D requirements. However, currently, most solutions provided by suppliers only meet the ASIL-B standard (the minimum requirement for ADAS systems).
So, who should be responsible for HARA? OEM or suppliers?
Simply put, any automotive hardware and software manufacturer that wants its products to comply with the ISO 26262 functional safety standard must perform HARA.
The goal of the OEM may be to ensure that the electronic power steering (EPS) that meets the highest ASIL D level is compatible with lower ASIL levels. Then, it may require its EPS suppliers to adopt HARA and other methods, such as FMEA and FMEDA, to ensure compliance with the required ASIL. In other scenarios, the OEM may decide to build its EPS that meets the corresponding ASIL requirements.
From the process flowchart, it is clear that HARA is preceded by project definition and followed by functional safety concept.
Step 1: Project Definition
HARA mainly deals with faults at the vehicle level. Therefore, having a clear understanding of how the vehicle and related subsystems work is very important for functional safety experts.
This understanding is captured in the form of project definition. Therefore, to effectively execute HARA, a reliable project definition is crucial.
What is a project? By definition, a project is a system or array of systems that need to achieve functionality at the vehicle level. For example, an anti-lock braking system can be a project.
The project definition includes the following:
-
Project name and description
-
Core technologies of the project (electronic/electrical/mechanical, etc.)
-
Interfaces with other functions (both external and internal)
-
Safety requirements and known failure modes
-
Functional dependencies between items
The project definition may contain more details, which will only make HARA easier. Once the project definition is determined, the safety lifecycle begins.
Step 2: Initiation of Safety Lifecycle
This is more of a transitional step. At this stage, it is determined whether a new project is being developed or an existing project is being modified. Another goal is to define the safety lifecycle work that will be performed in the subsequent steps.
Step 3: Hazard Analysis and Risk Assessment
At this stage, functional safety engineers understand the project and its functions. The next step is to identify failures for each project being considered and specify specific factors such as operational scenarios, operational modes, etc.
All these factors are considered inputs to HARA. With the help of HAZOP, failure identification is best done. It represents Hazard and Operability Analysis. It is an exploratory analysis that considers deviations from system design or operational intent.
Simply put, the HAZOP theory assumes that any potential hazard will arise when there is a deviation from the system’s expected operation.
Once failures are identified, they are described using hazard descriptions to detail the issues. Scenarios in which such failures occur are described under operational scenarios, which can include idle, acceleration, braking, etc.
Similarly, operational modes are also specified for the failures. Modes can include parked vehicles, idle vehicles, low-speed/high-speed driving, etc. The ability to identify all these inputs comes from the domain expertise of functional safety consultants and automotive engineers.
Moreover, understanding the known failures and data sheets of the components being considered also helps determine the inputs.
After identifying hazards, they are classified. This classification needs to derive ASILs (Automotive Safety Integrity Levels), followed by safety goals. The determination of ASIL and safety goals can be considered the output of HARA.
