ISO26262 Overview
Some years ago it was hard to imagine implementing safety for an Autonomous vehicle, now we at least believe that its not impossible to build..
ISO26262 is Road vehicle Safety standard provides guidelines for achieving functional safety in all electric and electronic systems installed in production vehicles. This article aims to provide high level understanding of ISO26262 standard.
ISO26262 is risk based safety standard aims to address possible hazards caused by the malfunctioning behavior in electronic components in vehicles and helps manufacturers to build safety into these components to avoid such hazardous situation.
Achieving zero risk is not possible. There is always some amount of risk which can be reasonable or unreasonable. Functional safety is absence of unreasonable levels of risk due to hazards caused by malfunction behavior of E/E/EP systems (Electrical, Electronics, and Programmable Electronic). It is considered as a system property which focuses on risks coming from systematic and random hardware faults in hardware or software development and production.
Focus of this standard is to tell how to identify such risks and control hazardous malfunction of electronic system
Systematic faults are sometime predictable and mainly caused due to flaw in design(Software or hardware). However systematic fault can be avoided through robust functional testing, multiple levels of design reviews, Security Reviews and clean documentation.
Random hardware faults are unpredictable failures which occurs during the lifetime of hardware components. For ex — Voltage spike, Radioactive package decay. These also can be avoided in some way which involves runtime software testing, ECC memory protection and voltage monitoring.
To achieve functional safety, the ISO 26262 series of standards:
- a) provides a reference for the automotive safety lifecycle and supports the tailoring of the activities to be performed during the lifecycle phases, i.e., development, production, operation, service and decommissioning;
- b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive Safety Integrity Levels (ASILs)];
- c) uses ASILs to specify which of the requirements of ISO 26262 are applicable to avoid unreasonable residual risk;
- d) provides requirements for functional safety management, design, implementation, verification, validation and confirmation measures; and
- e) provides requirements for relations between customers and suppliers.
Source : ISO26262 OBP
ISO26262 lifecycle begins with the concept phase which includes:
- Item Definition — provides understanding of the system that is being developed, consists of assumptions, basic architecture, requirements and dependencies.
- Initiation of Safety lifecycle
- Hazard Analysis and Risk Assessment(HARA) — Analyze hazard from various driving situations and define risk level. Define ASIL.
- Functional Safety concept — Define safety goals according to ASIL level.
ASIL (Automotive Safety Integrity level)
ASIL is a risk classification scheme which specifies item’s necessary safety requirements to avoid unreasonable risks with help of safety measures. There are four ASIL levels A, B, C, D and A is lowest & D is highest risk level. Each level has different requirements which should be implemented to reduce that level of risk.
ASIL level can be derived according to the Severity scale, Exposure scale and Controllability scale
- Severity — possible degree of physical harm caused to people inside vehicle along with others outside vehicle.
- Exposures — how often the vehicle is within the described hazardous situation.
- Controllability — to what extent hazardous situation can be controlled or avoided.
Image Source — Synopsys
V — Model
Next phase in ISO26262 lifecycle is development phase where all safety goals & higher level requirement will be designed, implemented & tested following V-model. V-model is SDLC and verification model where each testing phase is parallel to particular development phase. ISO26262 relies on such V-Model framework for matching requirements with corresponding tests to achieve traceability. Here is the sample safety V-model with test phase corresponding to development phase.
The last phase of ISO26262 safety lifecycle includes production, operation, service and decommissioning. Traceability is the key part in whole development and production phases to achieve quality product.
To make product more secured, it is essential to add Threat modelling during design review phase. Threat modelling is a process which identifies possible vulnerabilities lies within Product’s structure & ways to mitigate them. I will soon write about Threat modelling in next article.