Abstract
To meet the hardware requirements of ISO 26262, this study provides a detailed method for assessing the functional safety of automotive microcontrollers. Part 5 of ISO 26262 – the first phase of hardware construction in automotive hardware development outlines safety standards. Here, hardware safety design is created, implemented, integrated, and tested based on the results of Parts 3 and 4 of ISO 26262. A comprehensive assessment of the hardware during the development phase is crucial to ensure compliance with ISO 26262 standards. Introduced in November 2011, ISO 26262 is a set of rules and methods aimed at meeting safety risk management needs from sensors to actuators. Most modern vehicles’ embedded electronic systems include electronic control units (ECUs), electronic sensors, signals, bus systems, and code. Due to the complex use of electrical, electronic, and programmable electronic devices, automotive systems require detailed safety assessments for potential failure risks.
Introduction
The International Organization for Standardization (ISO) 26262 is a set of rules for the safety of electrical and electronic systems in vehicles, covering potential hazards that may arise from the interaction or failure of various systems. ISO 26262 is a variant of IEC 61508. The field of system safety engineering is witnessing an influx of new functionalities, such as propulsion systems, driver assistance systems, active and passive safety systems, and vehicle dynamics control systems. As the complexity of technology, software content, and mechatronic implementation levels continue to rise, the likelihood of both planned and unplanned hardware failures is also increasing. ISO 26262 helps mitigate these risks by outlining appropriate standards and procedures. Several safety measures are adopted at each stage of development to ensure system safety, which are incorporated into various technologies such as mechanical, hydraulic, pneumatic, electrical, electronic, and programmable electronic technologies. While ISO 26262 primarily addresses functional safety issues of E/E systems, it also provides a framework for assessing safety-related systems that rely on other technologies.
a) ISO 26262 defines the automotive safety lifecycle and helps customize the required tasks at each stage of the lifecycle (management, development, manufacturing, operation, service, decommissioning);
b) It provides a risk-based approach to determine integrity levels specific to the automotive industry;
c) It specifies relevant requirements of ISO 26262 using Automotive Safety Integrity Levels (ASIL) to prevent unreasonable residual risks;
d) It outlines verification and validation procedures to ensure adequate safety levels are achieved;
e) It outlines requirements for collaboration with suppliers.
What is ISO 26262?
ISO 26262 is a globally recognized standard for functional safety in automotive systems, which all electrical and electronic systems in vehicles (including their software and hardware components) must comply with. The safety-related functions of the system, as well as the development processes, methods, and tools, must adhere to the standards set forth by ISO 26262. Throughout the vehicle’s lifecycle, the ISO 26262 standard checks to ensure that adequate safety measures have been taken.
Why is the ISO 26262 Automotive Industry Safety Standard Important?
Automotive original equipment manufacturers (OEMs) and suppliers benefit from using ISO 26262 to assess the safety of electrical and electronic components in vehicles:
· ISO 26262 demonstrates preparedness and ensures the safety of vehicles and/or related systems.
· Maintaining a competitive edge through accurate understanding and application of ISO 26262 standards.
· Preventing injuries and product market rejection as much as possible. Insufficient safety assurance can lead to costly product recalls and damage to company reputation.
By ensuring compliance with applicable international rules, the process of entering foreign markets is simplified.
Implementation of ISO 26262
During the implementation of ISO 26262, all employees and management using the system must understand the risks and action plans, including system documentation, planned training, and appropriate handling of all issues, which will ensure everything is under control. As shown, automotive manufacturers will undoubtedly benefit from the successful implementation of this standard. In the first phase, risk assessments and hazard analyses are conducted using specified projects within the system. The next step is to identify all categorized hazards and assign ASIL after establishing safety goals (SF). Technical safety standards are defined during the development process to further refine to software and hardware levels. In practice, changing operational processes during development is quite challenging. Therefore, functional safety standards are assigned to components based on the initial design assumptions of the project. Thus, to begin implementing ISO 26262, pilot projects must be selected. When developing new vehicle models, potential issues with future systems must be considered in advance and addressed as soon as possible. All relevant safety standards must be planned and executed during the development and subsequent phases. ASIL has four levels, each corresponding to a specific combination of severity, exposure likelihood, and controllability; Level D is the lowest safety level, while Level A is the highest. In most cases, ASIL levels A–C are used.
Figure: Phased Implementation of ISO 26262
· Early Stage: Adequate planning, design, and analysis of the safety lifecycle
· Development Stage: Selecting appropriate methods and technologies that help detect errors early in the lifecycle
· Late Stage: Avoiding costly and time-consuming corrective measures
The development, production, and service phases, as well as management and supervision stages, all impact functional safety, including tasks such as requirements definition, design, implementation, integration, verification, validation, and configuration. The development process and its outcomes (in terms of functionality or quality) are closely related to safety issues. ISO 26262 is entirely centered around safety regarding the development process and the final product.
Some terms used in ISO 26262 are as follows:
· ASIL (Automotive Safety Integrity Level): Level D is the most stringent level, while Level A is the least stringent; these levels outline the requirements of ISO 26262 for projects or elements (1.69) or safety measures (1.110), as well as actions required to prevent excessive residual risks (1.97). ISO 26262-9 provides a detailed description of ASIL analysis. (Standard ISO 26262-1:1.6/ISO 26262-9).
· ASIL Decomposition: Another name for ASIL decomposition is “ASIL tailoring,” which represents the breakdown of Automotive Safety Integrity Levels. It attempts to reduce the ASIL of relevant elements by assigning redundant safety standards to sufficiently independent elements (1.6)(1.32). (Standard ISO 26262-9 5.4.10/ISO 26262-1 1.7/ISO 26262-9 5 provides flowchart processes).
· AUTOSAR (Automotive Open System Architecture): This is a free standard automotive industry software architecture created in collaboration with tool manufacturers, suppliers, and automotive manufacturers, regardless of ISO 26262. (“Autosar” in English and “AUTOSAR” in Spanish) are two online resources.
· CCF (Common Cause Failure): Refers to the failure of two or more project components due to a single event or root cause. Failures that are not related to cascading failures (CF) (1.13) are referred to as common cause failures (DF) (1.22). (ISO 26262-1 reference 26,2621.14).
· CF (Cascading Failure): When one component of a project fails, it may lead to failures in other components as well. Failures that are not related to CCF (1.14) are referred to as cascading failures (DF) (1.22). According to ISO 26262-1 Section 11.3.
· CMF (Common Mode Failure): When multiple components fail in the same manner, it is referred to as a common mode failure. It is examined using fault tree analysis (FTA). ISO 26262-10 Section 3.2.
· DC (Diagnostic Coverage): The percentage of hardware components whose failures are detected or controlled by installed safety measures relative to the total failure rate (1.32) and (1.41). (According to ISO 26262-1 Section 1.25 and 26262-5 D).
· DF (Dependent Failure): A failure (1.39) whose unconditional probability sum cannot be used to represent the likelihood of its simultaneous or subsequent occurrence. For example, dependent failures include CCF (1.14) and cascading failures CF (1.13). ISO 26262-9 Section 7 and ISO 26262-1.22 and 26262-9 Section 7 describe dependent failure analysis (DFA).
· DFA (Dependent Failure Analysis): Aimed at ensuring that no safety-related requirements or objectives are compromised, dependent failure analysis (DFA) is designed to isolate specific events or causes that may impair the necessary independence or protection from interference between the provided components. (Reference: ISO 26262-9 Section 7).
· DIA (Development Interface Agreement): DIA stands for “Development Interface Agreement,” which is a contract between customers and suppliers outlining responsibilities regarding actions, evidence, and final deliverables. For example, see ISO 26262-5 B (ISO 26262 1.24/ISO 26262-8 5).
· E/E/PE: The term “E/E/PE” refers to electrical, electronic, and programmable electronic technologies, as defined in IEC 615084-4 Section 3.2.6 (see examples for clarification). As described in IEC 61508-3.2.6.
· EMI (Electromagnetic Interference): Refers to interruptions in power circuits caused by external electromagnetic radiation sources or electromagnetic induction.
· EOS (Electrical Overstress): In terms of electrical overstress, failures may manifest in several different ways: thermal, electromigration, or electric field-induced. It may lead to latch-up short circuits. ISO 26262-10 A.3.4.2.4 provides examples of failure rates attributable to EOS. Calculation methods can be found in the “Reliability Data Handbook – General” (IEC TR 62380).
Details of ISO 26262
After several revisions, the second edition of ISO 26262 was released in December 2018, with the first edition published in November 2011. The first edition focused on mass-produced passenger cars under 3500 kg, while the second edition expanded the scope to include trucks, buses, and motorcycles. The main discussion of ISO 26262 will revolve around the updates in the second edition.
Figure: Overview of ISO 26262 (V Model)
· Part 1: Vocabulary
· Part 2: Functional Safety Management
· Part 3: Concept Phase
· Part 4: System-Level Product Development
· Part 5: Hardware-Level Product Development
· Part 6: Software-Level Product Development
· Part 7: Production and Operation
· Part 8: Supporting Processes
· Part 9: ASIL and Safety-Oriented Analysis
· Part 10: ISO 26262 Guidelines
· Part 11: Semiconductor Guidelines
· Part 12: Motorcycles (New Section in the Second Edition)
Functional Safety
The concept of functional safety arises from the need to build products and services in a way that unforeseen or unpreventable hazardous events do not occur. Designers should consider both systematic and random failures when manufacturing safety devices for the workplace. The former helps ensure that products do not accidentally harm anyone. Systematic failures (sometimes referred to as errors) result from design issues. The first step in preventing systematic failures is to develop reliable design methods that are unaffected by design errors. The process begins with requirements gathering, followed by specification development. During this process, we detail and examine each stage, including creating design prototypes, verifying, and evaluating them. Maintaining all manufacturing-related documentation records is crucial, and records should be readily available when needed. After production, the most common types of failures occur. Given that random errors cannot be completely prevented, safety mechanisms should ensure safety even when everything goes wrong.
Figure: Functional Safety Standards System
· Basic Safety Standards: IEC61508 (Functional Safety), IEC61511 (Safety Instrumented Systems for Process Industries), IEC82061 (Mechanical Safety), IEC13849 (Safety-Related Parts of Control Systems)
· Group Safety Standards: IEC62279 (Household and Similar Electrical Appliances), (Nuclear Power Plants), (Railway Applications), ISO26262 (Road Vehicles), ISO13482 (Robots and Robotic Devices)
· Product Safety Standards: IEC60601 (Medical Electrical Equipment), EN81 (Lifts), EN50156-1 (Electrical Equipment for Furnaces)
Results and Discussion – Simulation Results
Using LED lights instead of traditional bulbs has several advantages: The simulation results of a 16-bit CPU are shown in the figure below. The test bench receives alarm signals from the clock generator for functional testing. The simulator executes programs in memory units using test cases, simulating the CPU.
Figure: Simulation Results of NOP Instruction Window 1
The two figures show the simulation results. The NOP instruction executes within 15 to 45 nanoseconds, requiring only three clock cycles due to no execution period. There are four read operations, each requiring 45 to 245 nanoseconds, which corresponds to five clock cycles.
Figure: Simulation Results of NOP Instruction Window 2
Conclusion
The success of this implementation will bring numerous advantages to the automotive industry in the long term. Although fully integrating this standard into current safety-related electrical and electronic (E/E) systems is a lengthy process, its application advantages will enhance the global competitiveness of the automotive industry. Since ISO 26262 does not specify how to achieve established goals, there remain many research directions yet to be explored in the field of vehicle safety assessment. The automotive industry may require some assistance in adopting this new standard, and various methods and techniques may be useful, including risk and hazard assessments and the creation of systems, software, and hardware. As this standard is about to be implemented in the automotive industry, research supporting existing methods and procedures presents several possibilities and challenges. The automotive industry can expect ISO 26262 to guide how to maintain the high levels of safety achieved and how to implement next-generation safety systems.
This article was translated by Doubao Software; please refer to the original text for any inaccuracies. Download by scanning the QR code:
Previous Highlights
