Contributed by Bob Chabot
ISO Helps Build Safer Vehicles
Standard 26262 assures service and driver confidence
The International Organization for Standardization’s Functional Safety Standard (ISO 26262) describes the designing and test procedures and quality tools for the electrical and/or electronic (E/E) systems and safety practices installed in series production road vehicles. ISO 26262 addresses the needs for automotive-specific international standards, key safety components, the qualification of associated hardware and software, test processes and the qualifying tools that meet ISO 26262 compliance.
More complexity throughout the automotive industry has resulted in increased efforts to provide safety-compliant systems. For example, modern automobiles use by-wire systems, such as throttle-by-wire. With this system, when the driver pushes on the accelerator a sensor in the pedal sends a signal to an electronic control unit.
|
Layout of the ISO 26262 process. (All images — International Organization for Standardization)
|
The control unit analyzes several factors (such as engine speed, vehicle speed and pedal position). It then relays a command to the throttle body. It is a challenge of the automotive industry to test and validate systems like throttle-by-wire. The goal of ISO 26262 is to provide a unifying safety standard for all automotive E/E systems.
Since its publication in June 2009, ISO 26262 has gained traction as the state-of-the-art technical standard for the automotive industry. The implementation of ISO 26262 has allowed common standards to be leveraged that measure how safe a system will be in service. Its common vocabulary has also provided the ability to reference specific parts of systems and a way to measure the safety of manufacturers’ systems.
|
ISO 26262 covers many safety-related systems within a vehicle.
|
Key Components of ISO 26262
“ISO 26262 uses a system of steps to manage functional safety and regulate product development on a system, hardware and software level. It provides regulations and recommendations throughout the product development process, from conceptual development through decommissioning. It also details how to assign an acceptable risk level to a system or component and document the overall testing process.”
“ISO 26262’s Automotive Safety Lifecycle describes the entire production safety lifecycle, including the need for a safety manager; the development of a safety plan; and the definition of confirmation measures including safety review, audit and assessment. These requirements are intended to be used for the development of E/E systems and elements.
In addition, ISO 26262’s compliance component, Automotive Safety Integrity Level (ASIL), is determined at the beginning of the development process. The intended functions of the system are analyzed with respect to possible hazards. The ASIL asks the question, “If a failure arises, what will happen to the driver and associated road users?" ASIL also estimates risk, based on a combination of the probability of exposure, the possible controllability by a driver and the possible outcome’s severity. Each safety requirement is assigned an A, B, C or D value, with D having the most safety critical processes and strictest testing regulations. This aids in determining the methods that must be used for test. Once the ASIL is determined, a safety goal for the system is formulated that defines the behavior needed to ensure safety.
For example, consider a windshield wiper system. The ASIL safety analysis will determine the effects that loss of wiper function can have on driver visibility. It gives guidance for choosing adequate methods for reaching a certain level of integrity of the product. This guidance is meant to complement current safety practices. Current automobiles are manufactured at a high safety level and ISO 26262 is meant to standardize certain practices throughout the industry.
|
ISO 26262 is designed to accommodate many new and emerging automobile technologies.
|
Qualification of Hardware and Software Components is Essential
Hardware qualification has two main objectives: to show how the part fits into the overall system and to assess failure modes. Basic hardware components can be qualified with standard qualification, but more complex parts require evaluation through ASIL decomposition and testing. Hardware components are typically qualified by testing the part in a variety of environmental and operational conditions. The test results are then analyzed with various numerical methods and presented in a qualification report along with the testing procedure, assumptions and input criteria.
Software qualification assesses behavior in failure and overload situations. This process is dramatically simplified by using qualified software during development of an application. Qualified software components are generally well-established products that are reused across projects and include libraries, operating systems, databases and driver software. To qualify a software component, the standard requires testing under normal operating conditions along with inserting faults in the system to determine how it reacts to abnormal inputs.
|
ISO 26262 strives to ensure technologies are safe before the vehicle production stage, which helps lower total costs.
|
Both hardware and software components can comply with ISO 26262 requirements through the “proven in use” argument. This clause applies when a component has already been used in other applications without incident. For instance, many safety-critical components have remained unchanged and shown reliable real-world behavior in manufactured vehicles before the publication of ISO 26262. It makes no fiscal sense to apply the standard to create a new system that has been previously deployed in millions of vehicles.
One of the main challenges in implementing a standard such as ISO 26262 is applying it to older processes that have changed, as well as to new processes in current vehicles. Both require that pilot projects be used to show the effective implementation of these safety concepts subject to the ISO 26262 standard. The results so far show that ISO 26262 adapts well to these safety concepts. In particular, companies in the automotive industry have seen the benefits of evaluating risk and doing hazard analysis early in their development and testing processes.
|
ISO 26262 employs early risk analysis and testing of new safety technologies.
|
Test Qualification Increases User Confidence
During development, testing is a critical component under ISO 26262. Safety-critical systems must react properly to test scenarios and stay within specified safety limits when exposed to various human and environmental inputs. Simply put, using ISO 26262’s high quality test systems can improve a product’s performance, increase quality and reliability, and lower return rates. In addition, the cost of a failure decreases by 10 times when the error is caught in production rather than in the field. It also decreases another 10 times if it is caught even earlier during design instead of production.
By catching these defects and collecting the data to improve a design or process, testing delivers value to manufacturers. Driving new technology and innovation insertion through the ISO 26262 process and incorporating best-practice methodologies can generate large efficiency gains and cost reductions. It is easy to look past the tools and think only about the design of the system, but in reality the tools are very important to the end user’s safety.
|
ISO 26262 also relies on the use of proven established technologies already in use, provided they are still efficient and capable of optimizing new safety measures.
|
Using Proven Safety Also Keeps Costs Down
An important aspect of proven tool qualification is the concept of increased confidence from use. If the qualification requirements can already be demonstrated for a given tool, then if there are no changes, further qualification is no longer needed. This can dramatically save cost and time throughout the development and production processes for safety-related items or elements.
In order to demonstrate this, it must be documented that the tool has previously been used for the same purpose with comparable use-cases, the specification of the tool is unchanged and there has not been a violation of safety requirements allocated to the previously developed safety-related item.
|